Overview#
Digital Assertions as in SAML#
An assertion is a package of information that supplies one or more statements made by a SAML authority. SAML defines three different kinds of assertion statement that can be created by a SAML authority.SAML assertions are compounds of one or more of three kinds of "statement" about Digital Subject (human or program):
SAML can be extended to incorporate many kinds of assertions and statements
Assertions can, and probably should, be digitally signed
Common information#
All SAML assertions share some common information:- Assertion ID - Who is making the Claim
- Issuer ID and issuance timestamp
- Subject - The Digital Subject that the claims are about
- Name plus the security domain
- Optional subject confirmation, e.g. public key
- "Conditions" under which assertion is valid
- SAML clients must reject assertions containing unsupported conditions
- Special kind of condition: assertion validity period
- Additional "advice" - E.g., to explain how the assertion was made
SAML assertion Structure Image #
The outer structure of an assertion is generic, providing information that is common to all of the statements within it. Within an assertion, a series of inner elements describe the SAML Authentication Statement, SAML Attribute Statement, SAML Authorization Decision Statement, or user-defined statements containing the specifics.The diagram below illustrates the high-level structure of a typical SAML authentication assertion.
Sample common information assertion#
<saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="192.168.1.12.3456" Issuer="services.willeke.biz" IssueInstant="2009-12-03T10:02:00Z"> <saml:Conditions NotBefore="2009-12-03T10:00:00Z" NotOnOrAfter="2009-12-03T10:05:00Z"> <saml:AudienceRestrictionCondition> <saml:Audience>…URI…</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:Advice> .. a variety of elements can go here.. </saml:Advice> ...statements go here... </saml:Assertion>The saml: namespace corresponds to an XML Schema that just focuses on assertions.So far, we have decided that unique identifiers like AssertionID are essentially opaque to SAML; it’s up to you to ensure that they’re unique in the domain you care about.
More Information#
There might be more information for this subject on one of the following:- Digital Subject
- FAL 2
- Glossary Of LDAP And Directory Terminology
- IDP-Initiated SSO-POST
- Identity Broker
- SAML
- SP-Initiated SSO-POST-POST
- Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
- Security Token
- Token Binding over HTTP
- Web Blog_blogentry_231215_1